Understanding Protected Health Information (PHI) & How to Protect It

Protected Health Information (PHI)

Protected Health Information, commonly known as PHI, refers to any information that relates to an individual’s health status, medical history, or treatment. This sensitive and confidential data includes records of doctors’ visits, prescription medication details, laboratory test results, insurance information, and other personally identifiable information. The significance of PHI cannot be overstated as it plays a critical role in patient care and healthcare operations while also being governed by strict privacy laws. 

In a world where we highly rely on electronic systems for storing and sharing patient data, the importance of healthcare professionals safeguarding personal health information has become more crucial than ever.

What Does PHI Stand For in Healthcare?

The PHI acronym stands for protected health information, also known as HIPAA data. The Health Insurance Portability and Accountability Act (HIPAA) mandates that PHI in healthcare must be safeguarded. As such healthcare organizations must be aware of what is considered PHI.

What is PHI?

PHI meaning refers to HIPAA protected health information (PHI), also called HIPAA data, which encompasses any information within an individual’s medical record that can personally identify them and was generated, utilized, or shared during diagnosis or treatment. This definition extends to various identifiers and diverse information documented throughout routine care and billing processes. Proper safeguards must be implemented when collecting PHI as it is an essential aspect of the healthcare sector.

Below, we’ve listed the 18 identifiers of HIPAA protected health information (PHI), which qualify as PHI meaning according to guidance from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Examples of PHI include:

  1. Name
  2. Address (including subdivisions smaller than state such as street address, city, county, or zip code)
  3. Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. Web URLs
  15. IP address
  16. Biometric identifiers such as fingerprints or voice prints
  17. Full-face photos
  18. Any other unique identifying numbers, characteristics, or codes

What is ePHI?

Electronic protected health information (ePHI) is any PHI that is created, stored, transmitted, or received electronically. The HIPAA Security Rule has specific guidelines in place that dictate the means involved in assessing ePHI.

Media used to store data, including:

  • Personal computers with internal hard drives used at work, home, or while traveling
  • External portable hard drives
  • Magnetic tape
  • Removable storage devices, including USB drives, CDs, DVDs, and SD cards
  • Smartphones and PDAs

Means of transmitting data via wi-fi, Ethernet, modem, DSL, or cable network connections including:

  • Email
  • File transfers


The HIPAA Privacy Rule provides federal protections for PHI that’s held by Covered Entities (CEs) and gives patients rights over that information, as well as guidance for healthcare organizations regarding how to protect PHI. The Privacy Rule allows PHI to be disclosed as a result of patient care, but has strict guidelines in place for maintaining the integrity and security of that information while it’s being stored or otherwise processed. There are specific measures within the Rule that require comprehensive administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of PHI is being properly maintained.

Safeguards are critical when dealing with protected health information (PHI). There are several measures that organizations must take to ensure the confidentiality, integrity, and availability of PHI. One of the most essential safeguards is encryption. Encryption ensures that only authorized personnel can access PHI using a password of other security measures. 

Other safeguards include:

  • Firewalls
  • Antivirus Software
  • Intrusion Detection System
  • Regular Backups

Limiting access to PHI is equally essential. Organizations should restrict access to only those employees who need it to perform their duties. Access controls should be in place to prevent unauthorized access and use of PHI. Additionally, organizations should have policies and procedures in place for granting and revoking access rights based on job responsibilities.

Proper handling of PHI is also extremely crucial. Employees should be trained on how to handle PHI securely, both in hard copy and electronic formats. This includes guidelines on how to create strong passwords and how to report data breaches promptly. Regular training sessions help reinforce these practices and keep employees updated with the best practices. 

[cp_popup display=”inline” style_id=”24968″ step_id = “1”][/cp_popup]

HIPAA Data Storage, Cloud Storage, and ePHI

It’s important to note that HIPAA regulation treats HIPAA data storage companies as Business Associates (BAs). The regulation accounts for the storage of physical and digital data, meaning that cloud storage services qualify as BAs even if the organization rarely, randomly, or never accesses or views the ePHI that they store.

Protected Health Information

When dealing with HIPAA data and cloud storage services, CEs and BAs must have Business Associate Agreements (BAAs) in place. A good BAA should include provisions that clearly delineate liability in the event of a HIPAA data breach, in addition to the technical, administrative, and physical safeguards that will be put in place to maintain the integrity of PHI.

Compliancy Group Can Help

When it comes to understanding HIPAA, the Privacy and Security Rules are two of the most significant portions of regulation.  Each rule requires extensive reporting, tracking, and documentation to accompany their regulatory requirements, making the task of managing PHI and an organization’s HIPAA compliance a significantly involved process.

At Compliancy Group, our web-based HIPAA compliance solution, The Guard, simplifies this entire process of protecting health information. The Guard is a total compliance solution built to incorporate the full extent of federal regulation. There’s never an added cost if the regulation changes or expands. Users are notified when policies, procedures, training, and other elements of their compliance are up for review. So monitoring the ongoing status of your organization’s compliance becomes as easy to manage as logging in to The Guard.

See How It Works